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Foi Sofiwarc To FaciJitate Delegated Administration Of InformaUon li\ A Database 
5 Directory," which is incorporated by reference herein in its entirety 

BACKGROUND OF THE INVENTION 

This disclosure relates generally lo conimuniiy based cumpuier 
services and more pariicuiariy to adnninistration of coniinunily-based computer 
services using at least one arbitrary grouping of users. 

10 Generally, a community is a group of people who typically share a 

common interest. With the advent of the Internet atid e-commerce, many conapanies 
are forming communities through mtranels and extranets, for employees, suppliers, 
partners and clients. The communities make it easier and less expensive for the 
employees, suppliers, partners and clients to work together. In the context of 

15 computer services, these people arc known as computer users or simply users. 
Information on each of the users in the confimunities is stored in a biaad range of 
directories and databases. The information may comprise the user^s name, location, 
telephone number, organization, login identification, password, tic Other 
information may comprise the user*s access privileges to resources such as 

20 applications and content. The directories may also store information on the physical 
devices (e.g., personal compuicis, servers, printers, routers, connntimc.ition servers, 
etc.) in the networks that support the communities. Additional information may 
comprise the sei-vices (e.g., opcraang systems, applications, shared-tdc syslcms, print 
queues, etc.) available to each of the physical devices. All of the above information is 

2r> generally known as community- based computer sen'iccs. 
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The adminisliation (i.e., the creation, maintenance, modification, 
updating and disabling) of these community-based computer services becomes 
difficult U5> the communities grow in size and complexity. In many cases, 
administration becomes an almost impossible task, unless a community is subdivided 
5 into more manageable sub-comnmnities. With the creation of these sub-communities^ 
it becomes desirable to use a team of administrators who share responsibilities for 
administrating the community by assigning different individuals to administer the sub- 
communities. This type of administration is referred to as delegated administration. 

Currently available administration tools that facilitate delegated 
10 adminisiration do have their drawbacks. For insiancc, these tools do not provide the 
ability to identify an arbitrary set of users whose management is to be delegated. In 
particular, many tools require delegation of administnition to occur based on a strictly 
hierarchical organizational model, where each level of management in the 
organization has authority to administer the people reporting to them. This approach 
15 severely limits the ways in which a set of users can be formed and administered. For 
example, a company may have a North American organization and a South American 
organ izal ion. Since the cunently available administration tools require delegation to 
occur based on a strictly hierarchical organizational model, it would be impossible to 
form a community of technicians for the company that are located from all over the 
20 world. Consequently, it will be difficult, yi best, to provide on-line services that are 
targeted for all of the technicians employed by the company and that are located in 
various parts of the world. 

Therefore, there is a need for administration tool that provides the 
capabiliiy to identify many different and iirbiirary sets of users whose management is 
25 to be delegated so that administration can be perf ormed for any type of organization or 

community, regardless of its structure. 

BRIEF SUMMARY OF THE INVENTION 

In one embodiment of this disclosure, there is a method, system and 
computer readable medium that stores instructions for instructing a computer system. 
30 to manage user information in a database clircciory. In this embodiment, the user 
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information is organized according lo allribulc values assigned to the information. 
The organized user information is specified mto at least one arbitrary group of users. 
The user information associated with the at least one arbitrary group of users is then 
managed. 

5 In a second embodiment of this disclosure, there is a method, system 

and computer readable medium that stores instructions for instructing a computer 
system, to provide delegated administration of a user community. In this 
embodiment, the user community is specified into at least one arbitrary group of users. 
An administrative domain is formed from the at least one arbitrary group of users. 

10 Administrative privileges are granted to an administrator for the administrative 
domam. The granted administrative privileges can be delegated to another 
administrator for the administrative domain. 

In a third embodiment of this dLSclosurc, there is a system, method and 
computer readable medium that stores instructions for instructing a computer system, 

15 to enable an administrator to control administration of a user community. In this 
embodiment, user information associated with the user community is provided to an 
administrator. The administrator is prompted to specify the user community into at 
least one arbitrary group of users. The administrator is prompted to fonii an 
administrative domain from the at least one arbitrary group of users. The 

20 administrator is also prompted to define administrative privileges for the 
administrative domain. The administrative domain and administrative privileges 
defined by the administrator are used to control aclmmistration of the user community. 



[n another embodiment, there is a user community administration tool 
for managing user information associated with a user community. In the user 
25 commLiiuty administration tool there is a user group specifying component that 
specifies the user community into at least one urbiiraiy group of users and a domain 
foi-mation component that forms an admuiistrative domain therefrom. An 
adminisuative privileges component grants adtmnistrative privileges for the 
administrative domain. An information management component manages user 
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information associated with the administrative domain in accordance with the granted 
administrative pnvileges. 

In still another embodiment, there is a system for managing user 
information associated with a user community. This system comprises a database 

5 directory that contains a plurality of user information, A user community 
administration lool inanagcs the plurality of user infoiTnation in the database directory. 
The user community administration lool comprises a user group specifying component 
that specifies the user community mto at least one aibitrary group of users and a 
domain formation component that forms an administrative domain therefrom. An 

10 administrative privileges component grants administrative privileges for the 
administrative domain. An information management component manages the user 
information associated with the administrative domain in accordance with the granted 
administrative pnvtlct^es. A computing unit is configured to serve the user 
community administration tool and the database directory. 

15 BRIEF DESCRrrriON OF THE DRAWINGS 

Wig 1 sh(iws a schematic of aii example of a user community; 

Fig. 2 shows an example of delegated administration of the user 
community shown in Fig, 1; 

Fig. 3 shows an example of a user community fornned from at least one 
20 arbitrary group of users, 

Fig. 4 shows a schematic of a general purpose computer system in 
which a dclcgntcd administration tool that creates and administers at least one 
arbitrary group of users operates; 

Pie. 5 shows a top-level component architecture diagram of the 
25 delegated admim^iration tool that creates and administer at least one arbitrary group of 
users and thai operaics on the computer system shown in Fig. 4, 
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Fig. 6 shows an architectural diagram of a syslem For implemenling the 
delegated administrLition tool thai creates and administer at least one arbilrijry group of 
users shown in Fig. 5; 

Fig. 7 shows a flow chart of the acts pcrfonned to create an 
5 administrative domain from at least one arbitrary group of users with the delegated 
administration tool shown in Fig. 5; 

Fig. 8 shows a flow chart describing the acts performed to assign a user 
authority for an administrative domain formed from at least one arbitrary group of 
users with the delegated administration tool shown in Fig. 5; 

10 Fig. 9 shows a flow chart describing vanous acts performed in editing a 

query rule that is used to specify at least one arbitrary group of users for an 
administrative domain with the delegated administration tool shown in Fig. 5; and 

Figs. 10a- lOc show various screen displays that may be presented to a 
user of the delegated administration tool shown in Fig. S. 

15 DETAILHD DESCRIPTION OF TliE INVENTIOiN 

Fig. 1 shows a schematic of an example of a user community receiving 
a community of services from a medical services provider. The example shown in 
Fig. 1 is illustrative of the concept of a user community and is not meant to limit this 
disclosure. In Fie. 1, Healthcare Providers A-D are communities that receive 

20 computer-based services from Medical Services Provider X. Examples of such 
computer-based services may comprise medical information, the ability to order 
medical supplies, the abdity to schedule patient, appoint aicni.s, (he ability to file claims 
for patient services. Other illustrative examples of computer-based services for this 
scenario may comprise benchmarking infonnation, healthcare statistics and access to 

25 downloadable software The healthcare providers may also want to provide the 
computer-based services to their clients, partners, vendors, suppliers, etc. In Fig. 1, 
Healthcare Provider 1^ provides the computer-based servict-s established from Medical 
Services Provider X to a Local Clinic and Local Hospu:il with which it has a 
relationship. The computer-based services can also be provided to their employees. 
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In Fig. 1, the computer-based services are provided to the various depaitmenls in the 
Local Hospital such as Cardioiogy, Radiology, Gastroenterology, Medical Research, 
etc. Similar types of distribution of the computer-based services can be provided for 
the other healthcare provide! s (i.e., Healthcare Providers A» C and D). 

5 Medical Services Provider X stores information on each of the users in 

the community in a database directory. The information may compose the user*s 
name, location, telephone number, organization, login identification, password, etc. 
Other information may comprise the user's access privileges to certain resources 
provided by Medical Seivices Provider X such as applications and content. The 

10 database directory of Medical Services Provider may also store information on the 
physical devices (e.g., personal computers, servers, printers, routers, communication 
servers, etc.) in the networks that support the communities. Adduionai information 
stored in the database directory may comprise the services (e.g., operating systems, 
applications, shared- file systems, print queues, etc.) available to each of the physical 

15 devices. 

Since the user community shown in Fig. 1 can be quite large and 
complex, it is desirable to subdivide and delegate administration of these 
communities. Fig. 2 shows an example of delegated administratjon of the user 
community shown in Fig. 1. In this example, there is an admimstrator for each 

20 community that is responsible for managing a variety of activities that mclude but are 
not limited to modifying user infonnation, updating permissions lo certain resources, 
disabling user accounts, creating user accounts and maintaining user accounts. For 
instance, the SuperAdministrator manages the activities for Medical Services Provider 
X; Administrator A manages the activities for the Local Chmc associated with 

25 Healthcare Provider B and the Cardiology department of the Local Hospital; 
Administrator B manages the activities for Healthcare Providers A and B; 
Administrator C manages the activities for Healthcare Provider D\ Administrator D 
manages the activities for ilie Lx^cal Hospital associated with Healthcare Provider B, 
the Medical Research depnrunents for the Local Hospital assocmted wtth Healthcare 

30 Provider B, as well as the activities for Healthcare Provider C; Adtnmistrator E 
manages the activities for ihe Cardiology and Radiology deparfmenis of the Local 
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Hospital associated with Healthcare Provider B; and Administrator F manages the 
activities for the Gastroenterology department of the Local Hospital associated with 
Healthcare Provider B. The extent to which Administrators A-F manage activities 
depends entirely on the type of authority that ihcy have. Other forms of delegated 
5 administration for this example are possible as will be apparent lo people skilled in 
the art. 

For purposes of explaining the delegated administration provided with 
this disclosure, each block (i.e.. Medical Services Provider X, Healthcare Providers A- 
D, Local Clinic, Local Hospital, Cardiology, Radiology, Gastroenterology, Medical 

10 Research) in the user community of Fig. 2 represems an administrative domain. An 
administrative domain is a m;inagecl object that comprises a set of users, a set of user 
attiibutes which can be modified, and a set of allowable values for those data fields 
over which an administrator has authority. Possible examples of user attributes may 
include but are not limited lo employer, role or job description, resources that 

15 permission has been granted to access, address and equipment used. Generally, an 
administrator's authority may comprise edit authority and/or delegation authority. An 
administrator has edit authority within the administrative domain when he or she may 
edit certain attributes of the users. An administrator has delegation authority within 
the administrative domain wlicn he or she may define a subset of the users and 

20 identify attributes for modification, in order to create an administrative sub-domain. 

The assignment of the administrative sub-domain to a person is the delegation of that 
domain. The ability to create an administrative sub-domain and to assign that domain 
to a user is delegation aiuhority Although the authority described in this disclosure 
relates generally to edit authority and delegation authority, one of ordinary skill in the 

25 art will recognize that other types of authority such as view, modify, delete, temporary 
delegation, as well as simdjt operations, but with limitations on the e.xrent of 
viewable data, arc possible as well. These examples of authonty can be used in 
addition to, in place of, or in combination with the delegation and cdii authority. 

As mentioned ah.uve, it is desirable to be able to create communities 
30 based on any user information without regard to structure or fonnat ot the underlying 
user data in the database dircct4>[y This would enable an administratot to administer 
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user groups formed in many different and arbitrary sets, as opposed to groups that are 
formed from sets that are generally inflexible m definition (e.g.» the strictly 
hierarchical organization model). For example, an administrator could administer any 
arbitrary grouping of users according to mformation such as the users' location, 
applications that users have access privileges to, contractual agreements that users 
have executed, etc. 

Fig. 3 show/s an example of a user community formed from at least one 
arbitrary group of users. In Fig. 3, the user community comprises Radiologists as one 
group, employees of Healthcare Provider B as a second group and employees located 
in the slate of Wisconsin as a third group. Administrator G is the administrator 
assigned to the three user communities. Assuming that Administrator G has been 
granted at least delegation authority for at least one community (it is possible that 
other types of authority such as edit, view, modify, delete, etc. can be granted), then he 
or she can form an administrative domain from diese groups of users. In Fig. 3, the 
administrative domain formed by Administrator G comprises Radiologists that work 
for Heahhcare Provider B in the state of Wisconsin. A crosshatchcd section in Fig. 3 
represents the administrative domain of Radiologists that work for Healthcare 
Provider B in the state of Wisconsin. Assuming again that Administrator G has 
delegation authority, then he or she can grant administrative privileges for managing 
the administrative domain that comprises Radiologists that work for Healthcare 
Provider B in the state of Wisconsin. In Fig. 3, administrator G has assigned 
administrative privileges to Administrator H for the administrative domain that 
comprises of Radiologists that work for Healthcare Provider B in ihe state of 
Wisconsin. Assuming that Administrator H has been granted at least delegation 
authority for this domain from Administrator G, then it is also possible for 
Administrator H to create an administrative sub-domain from the domain of 
Radiologists that work for Healthcare Provider B in the state of Wisconsin by 
specifying an additional arbitrary user group from this domain. The specified 
additional arbitrary user group can be based upon whatever user attributes are desired 
without regard to structure or foiEnat of the underlying user daia. For example. 
Administrator H could create a sub-domain for radiologists who art; hoaid certified, 
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work in Madison, Wisconsin, and work for Healthcare Provider B. Then 
Administrator H could grant administrative privileges to another administrator for this 
sub-domain if desired. The eAample shown in Pig. 3 is illustrative of the concept of 
creating a user conrununity, administrative domain or sub-donriain from at least one 
5 arbitrary group of users and is not meant to limit this disclosure. 

As an example, the above-described delegated adininistraiion 
capabilities for creating and administering at least one arbitrary group of users can be 
implemented in software. Fig. 4 shotvs a schematic of a general-purpose computer 
system 10 in which a delegated administration tool that creates and administers at 

10 least one arbitrary group of users operates. The computer system 10 generally 
conipriscs at least one processor 12, a memory 14, input/output devices, and data 
pathways (e.g., buses) 16 connecting the processor, memory and input/output devices. 
The processor 12 accepts instructions and data from the memory 14 and performs 
various calculations. The processor 12 includes an arithmetic logic unit (ALU) that 

15 performs arithmetic and logical operations and a control unit that extracts instructions 
from memory 14 and decodes and executes them, calling on the ALU when necessary. 
The memory 14 generally includes a random-access memory (RAM) and a read-only 
memory (ROM); however, there may be other types of memory such as programmable 
read-only memory (PROM), erasable programmable read-only memory (EPROM) and 

20 electrically erasable programmable read-only memory (EEPROM). Also, the memory 
14 preferably contains an operating system, which executes on the processor 12. fhe 
operating system performs basic tasks that include recognizing input, sending t3utput 
to output devices, keeping track of files and directories and conirolhng vanous 
peripheral devices. 

25 The input/outpLit devices may comprise a keyboard 18 and a mouse 20 

that enter data and instrucuons iiuo itte computer system 10. Also, a display 22 may 
be used to allow a user to see wlial tlie computer has accomplished. Other output 
devices may include a primer, plotter, synthesizer and speakers. A communication 
device 24 such as a telephone oi cable modem or a network card such as an Ethernet 

30 adapter, local area network (l.-AN) adapter, integrated services digital network (ISDN) 
adapter, or Digital Subscribe; Lmc (DSL) adapter, that enables the coinputcr sysrem 
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10 to access other computers and resources on a network such as a LAN or a wide 
area network (WAN). A mass storage device 26 may be used to allow the computer 
system 10 to permanently retain large amounts of data. The mass storage device muy 
include all types of disk drives such as floppy disks, hard disks and optical disks, as 
well as tape drives that can read and wnle data onto a tape that could include digital 
audio tapes (DAT), digital linear t;ipcs (DLT), or other magnetically coded media. 
The above-described computer system 10 can take the form of a hand-held digital 
computer, personal digital assistant computer, notebook computer, personal computer, 
workstation, mini-computer, mainframe computer or supercomputer. 

Fig. 5 shows a top-level component architecture diagram of a delegated 
administration tool 2S that can create and administer at least one arbitrary group of 
users and that operates on the computer system 10 shown in Fig. 4. The delegated 
administration tool 28 comprises a user group specifying component 29 that enables 
an administrator to specify at least one arbitrary group of users for a user conimunity 
such as the one shown in Fig. 3. f^ach arbitrary group of users that is specified has 
attributes associated with each of its users and allowable values of these attributes. 
The administrator via the user ^roup specifying component 29 uses combinations of 
possible attribute values for each of the users as criteria for specifying the at least one 
arbitrary group of users. The specified at least one arbitrary group of users can be 
based upon whatever user attnbutcs are desired by the administrator without regard to 
stmcture or format of the underlying user data. For example, referring to Fig. 3. an 
administrator can use the user group specifying component 29 to utilize user attributes 
and values such as employer (Healthcare Provider B), job description (radiologist) and 
address (Wisconsin) to fonii a user community. 

The user group specifying component 29 forms the at least one 
arbitral^ group of users through a query mle constructed by the administrator to query 
a database directory containing user information. The query rule defines the users 
within the at least one arbitrary j^joup of users. Since the database directory may not 
be organized according to the desired grouping of users because of variables such 
cross-functionalities of users, different locations of users, etc., the c|uery rule aids the 
administrator in specifying the at tcasi one arbitrary group of users. The formation of 
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The al least one arbitrary' group of users is dynamic because user data in the database 
director>' that satisfies the query mle dynamically becomes a managed user within the 
at least one arbitrary group of users in real-time. That is, the at least one arbitrary 
group of users is formed on demand by execution of the query. Thus, if any new user 

5 IS added to the database directory and his or her data would result in satisfying the 
query nde, then that user dynamically becomes a managed user within the domain 
formed from the al least one arbitrary group of users in real-time. Alternatively, if a 
user is removed from the database directory, then that user is dynamically and in reaN 
time excluded as a managed user for the domain fonned from the at least one arbitrary 

10 group of users. The dynamic formation of the at least one arbitrary group of users 
enables an administrator to determine who is currently in the administrative domain 
formed from the at least one arbitrary user group and who is not. 

A domain formation component 30 enables an administrator to form a 
user community, administrative domain or administrative sub-domain from the 
15 specified at least one arbitrary group of users such as the ones shown and described 
with Pig. 3. For example, referring to Fig. 3, the domain formation component 30 
permits an adtnmistrator to form an administrative domain from the at least one 
arbitrary group of users that have user attributes and values that are employed by 
Healthcare Provider B, in the state of Wisconsin, as radiologists. 

20 The delegated administration "tool 28 also comprises an administrative 

privileges component 32. The administrative privileges component 32 enables an 
adnnnistrator to grant administrative privileges for an adrninistraiive domain or 
administrative sub-domain that he or she has authority for in accordance with the 
above-described' manner. The grunted administrative privileges may comprise at least 

25 one of delegation authority and edit authority. As mentioned above, it is also possible 
to grant other types of authority such as view, modify, delete, temporary delegation, 
etc. These examples of authority can be used ni addition to, in place of. or m 
combination with the delegation and edit authonty. 

The adrmnistrative privileges component 32 also enables an 
30 admin isLrtu or to define which users in an administrative domain or sub-domain that he 
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or she operates and has authority for will have the granted administrative privileges. 
More specifically, an administrator can use this component to define various 
administrators lor their operational domain by assigning delegation authority, edit 
authority or other types to a particular user Administrators with delegation authority 
5 can also use the user group specifying component ?.9, domain formation component 
30 and admmistrative privileges component 32 to form sub-domains from an 
additional group of users for their operational domain by constructing a query rule, 
defining administrative privileges for these newly formed sub-domains and defining 
who will have delegation authority, edit authority or other types for these sub- 
10 domains. As long as an administrator has delegation authority in a particular domain, 
it is possible to continue to use the user group specifying component 29, domain 
formation component 30 and administrative privileges component 32 to create a sub 
domain from at least one arbitrary group of users using a query rule and delegate 
administration for the sub-domain that he or she operates in. For instance, using an 
15 eadier example, Administrator H could create a sub-domain for radiologists who are 
board ceiTified, work in Madison, Wisconsin, and work for Healthcare Provider B. 
Assuming that Administrator H has delegation authority, he or she can grant 
administrative privileges to other adminislnnors if desired for this sub-domain. An 
administrator that is assigned delegation auihority h>r this sub-domain can continue to 
20 create an additional sub-domain (e.g., bo^rd -certified radiologists working in 
Madison, Wisconsin, for Healthcare Provider B, that are trained to use X-ray Scanner 
Z) of the current domain and grant authority for it to another administrator. It is 
possible to continue to an arbitrary level with respect to an administrator's working 
domain. 

25 The delegated administration tool 28 also comprises an infoiTnation 

management component 36 that manages information associated with each of the 
administrative domains in accordance with the delegated administrative privileges. 
Depending on the type of authority delegated, an administrator can use the 
information management component 36 to edii, view or delete specific attributes for a 

30 user in a domain. The information management component 36 is not limited to these 
functions and may perform other functions such ;is oenerating reports (e.g., reports on 
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all users within a domain), analyzing data (e.g., determining how frequently some 
types of data change), performing statistical analysis or allowing users to perfonn self- 
administration on certain attributes (e.g., phone number, e-nnail address, passwords, 
etc.). 

Tlic delegated administration tool 28 is not limited to a software 
implementation. For instance, the user group specifying component 29. domain 
formation component 30, administrative privileges component 32 and the information 
management component 36 may take the form of hardware or firmware or 
combinations of software, hardware, and firmware. 

In addition, the delegated administration tool 28 is not limited to the 
user group specifying component 29, domain formation component 30, administrative 
privileges component 32 and information management component 36. One of 
ordinary skill in the art will recognize that the delegated administration tool 28 may 
have other components. For example, the delegated administration tool 28 eould also 
include a workflow component that manages processes surrounding user creation and 
administration. Also, the delegated administration tool 28 could include a reporting 
component that reports usage statistics, error conditions, etc. fhere could also be a 
transactional management component that performs transactions using 2-phase 
commit/rollback. Still another component that the delegated adrmm strati on tool 28 
could include is a browsing component for viewing infonnation associated with the 
hierarchy of administrative domains. 

Fig. 6 shows an architectural diagram of a system 38 for implementing 
the delegated administration tool shown in Fig. 5. Fig. 6 shows that there are several 
ways of accessing the elelcgated administradon tool 28. A compunng unit 40 allows 
an administrator to access the delegated administration tool 28 tlie administrator 
could be the SupcrAdministrator or administrators with delegation authority, edit 
authority or other types of authority. Also, users in the domatr\ may access the 
delegated administration tool 28 through a computing unit 40 to i^erform some basic 
self-adrninistration. The compuiing unit 40 can take the forni of a hand-held digital 
computer, personal assistant computer, notebook computer, f)ersonal computer 
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or workstation. The administrators and users use a web browser 42 such as Microsoft 
INTERNET EXPLORER or Netscape NAVIGATOR to locate and display the 
delegated administration tool 28 on the computing unit 40, A communication 
network such as an electronic or wireless network connects the computing unit 40 to 
the delegated administration tool 28. Fig. 6 shows that ihe computing units 40 may 
connect to the delegated administration tool 28 through a private network 44 such as 
an extranet or intranet or a global network 46 such as a WAN (e.g., Internet). As 
shown in Fig. 6, the delegated administration tool 28 resides in a server 48, which 
comprises a web ser\'er 50 that serves the delegated administration tool 28 and a 
database directory 52 (or directories) that contains the various information for the 
users in all of the domains that form the community. However, the delegated 
administration tool docs not have to be co resident with the server 48. If desired, the 
system 38 may have functionality that enables authentication and access control of 
users accessing the delegated administration tool 28. Both authentication and access 
control can be handled at the web server level by the delegated administration tool 28 
itself, or by commercially :ivaihib!c packages such as Netegrity SITEMINDER. 

The information in the database directory 52 as mentioned above may 
comprise information such as the user's name, location, telephone number, 
organization, login identificatian, password, etc. Other information may compnsc the 
user's access privileges to certain resources such as applications and content. The 
database directory 52 mny :ilso store information on the physical devices (e.g., 
personal computers, servers, printers, routers, communication servers, etc.) in the 
networks that support the communities. Additional infonnation stored in the database 
directory 52 may comprise the services (e.g., operating systems, applications, shared- 
file systems, print queues, etc.) available to each of the physical devices. The 
database directoi-y 52 can take the form of a lightweight directory access protocol 
(LDAP) database; however, other directory type databases with other types of schema 
can be used with the dclcgnied administration tool 28, includmg rciaiional databases, 
object-oriented databases, I bit l iles, or other data management systems. 

Using the system 38 shown in Fig. 6, an admin isualor such as a 
SuperAdministrator or an admmtstrator with delegation or edit authonty can use the 

-14- 



RD-28,534 



delegated administration tool 28 to administer a community using at legist one 
arbitrary group of users. Also, users of the community can use the delegated 
administration lool 28 to perform some self-adn^iinistradon- Fig. 7 shows a flow chart 
describing the acts performed to create an administrative domain from at least one 
5 arbitrary group of users with the delegated administration lool 28, To create an 
admjnistrative domain, the user must be either a SuperAilministrator or an 
administrator having delegation authority. At block 54, the SuperAdmuiistrator or 
administrator with delegation authority signs in. The sign-in act can include enteiing 
identity and security information (e.g., a valid usemame and password). The 

10 delegated administration tool validates the usemame and password at 56. The 
delegated administration tool then dctciTnincs if the user has permission (i.e., the user 
is a SuperAdministrator or administrator with delegation authonty) to create an 
administrative domain at 58. If the user is not authenticated or docs not have 
permission to create an administrative domain, then the user is not allowed to create a 

15 domain. 

At 60, the user identifies attributes that can be handled for the 
administrative domain. As mentioned above, attributes compnsc any data, which 
describe information about a user (e.g., employer, job description, resources that 
permission has been granted to access, address* equipment used, etc.) If desired, 

2i) some of the attributes can be restricted. For example, a country attribute can be 
restricted to a limited set of country abbreviations. For instance, in order to represent 
the countries United Stales, Canada and Mexico, a set of values ean be defined such 
as USA, CAN or MEX, respectively. For some of these kinds of restricted attributes, 
it may be desirable to liave the restricted attributes appear in the display lo [he user in 

25 the form of a pull-down menu. AW of the attributes that arc identified can then be 
viewed, edited or deleted at a subsequent time. At 62, the user assigns allowable 
values for these idemified attributes where needed. 

Next, the user specifies at least one arbitrary group of users using 
attribute values or combinations of these values that are associated witii users in a user 
30 community. In particular, the user constructs a query rule at 64 to olMair: Uie at least 
one arbitrary group of users specified For the administrative domain (iY>rn ihc database 
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directory. The results of ihe query define the members of the groups of users in the 
community or domain. After ihe query rule has been constructed, the community or 
domain is formed at 65. Next, itie database directory is updated at 66 with the data for 
the newly created administrative domain. If an administrator with delegation 
authority wants lo create another domain from their operational domain, then blocks 
58-66 are repeated. Otherwise, any time a SupcrAdministrator or an administrator 
with delegation authority desires to create an administrative domain for their 
operational domain, then blocks 54 through 66 are repeated. Note that a 
SupcrAdministrator for a user community can perform any function to an 
administrative domain that he or she desires such as create, modify, delete, view, etc. 

Fig. 8 shows a How chart describing the acts pciformed to assign a user 
delegation authority, edit aullionty or other types of authority for a domain. The only 
users that can assign delegation authority and/or edit authority arc cither a 
SupcrAdministrator or an administrator having delegation authority. Tf the 
SuperAdministrator or administrator having delegation authonty has not already 
logged onto the delegated administration tool, then he or she must sign in at 68. The 
delegated administration tool validates the usemame and password at 70. 
Aiiematively, if the SuperAdministrator or administrator having delegation authority 
has ah-eady logged onto the delegated administration tooU then blocks 68-70 may be 
bypassed. The delegated adminisrrntion tool determines which domains the user has 
delegation authority over, if jny at 72. Thus, if the user is an administrator with 
delegation authority, then he or she will have permission to assign delegation 
authority and/or edit authoruy f or their assigned domains. 

At 73, the SuperAdministrator or administrator with delegation 
authority selects a particular administrative domain to operate in. The 
SuperAdministrator or adtrnnisnator with delegation authority may select the 
administrative domain by inpuUn-g the desired domain or a string that descnbes the 
domain, or using a combination of both. One of ordinary skill in the art will recognize 
that there are other input techniques that can be used la select n domain. At 74, the 
SuperAdministrator or administrator with delegation authonty searches for users in 
the database directory th^^t sniisry search criteria that have beer* focmulated. The 
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delegated administraiion tool parses and formats the search results and presents the 
resuUs ro the user at 76. ^I he SuperAdministrator or administrator with delegation 
aulhorily then selects a single user from the results for assigning authority to that 
person at 78. The SuperAdministrator or administrator with delegation authority then 
5 selects a sub-domain of the active domain for which authority will be assigned to thai 
user at 79. Then the SuperAdministrator or administrator with delegation authonty 
selects the type of authonty (i.e., delegation authority, edit avithority or other types of 
authority) thai will be assigned at 80. If desired, the SuperAdministrator or 
administrator with delegation authonty may set an expiration date for the assigned 
10 authority. After the authority has been assigned, the database directory is updated at 
82 with this data. Thus, any time an administrator with delegation authonty desires to 
delegate authority of an ^issigned administrative domain to another user, then at least 
blocks 73 through 82 are repeat eel- 
Fig. 9 shows a flow chart describing various acts performed in editing a 
15 query rule for specifying at least one arbitrary group of users ibr an administrative 
domain or sub-domain. The only users that can edit a query rule for a particular 
domain arc a SuperAdministrator and an administrator with delegation authority in the 
operational domain that includes the particular domain. If the SuperAdministrator or 
the administrator with delegation nuthnrity has not already logged onto the delegated 
20 administration tool, then he or she must sign in al 100. The delegated adnruni strati on 
tool validates the uscrname and password at 102. Alternatively, if the 
SuperAdministrator or the administrator with delegation authority has already logged 
onto the delegated administration tool, then blocks 100-102 may be bypassed. The 
delegated administration toot then determines which domains if any that the user has 
25 delegation authority over at 104. Thus, if the user is an admmistrator with delegation 
authority then he or she will have permission to edit a query rule for any sub-domains 
of their assigned domai ns 

At 106, ihe StipcrAdministrator or administer with delegation authority 
selects a particular administiLitive domain that contains the query rule that he or she 
30 would hke to edit und tlmi they have authority to do so. Generally, at this block the 
SuperAdministrator or acimmistraior with delegation authonty iTi[?uts the domain 
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name and/or a string that describes the domain. The delegated administration tool 
displays the current query rule associated wilh the at least one arbitrary group of users 
for the domain at 108. The SuperAdministrator or administrator with delegation 
authonty then edits the query rule as desired at 110. The delegated adminisiration tool 
parses and interprets the changes and updates the database directory at 112 with this 
data. 

The foregoing flow charts of this disclosure show the functionality and 
opcraiion of the delegated administration tool. In this regard, each block represents a 
module, segment, or portion of code, which comprises one or more executable 
instructions for implementing the specified logical function(s). It should also be noted 
that in some alternative implementailons, the functions noted in the blocks may occur 
out of the order noted in the figures or, for example, may m fact be executed 
substantially concurrcndy or in the reverse order, depending upon the functionality 
involved. Also, one of ordinary skill in the art will recognize that additional blocks 
may be added. Furthei^ore, the functions can be implemented in programming 
languages such as C++ or JAVA; however, other languages can be used. 

Figs. lOa-lOc show various screen displays thai may be presented to a 
user of the delegated adminisLralion tool shown m Fig. 5. These screen displays are 
for illustrative purposes only and are not exhaustive of other types of displays. Also, 
the actual look and feel of the displays can be slightly or substaniially changed during 
implementation. Figs. U)a-10b show screen displays that may be presented to a user 
after he or she logs inlo the delegated administration tool 28 and is interested in 
adding an administrative domain from at least one arbitrary group of users. In 
particular, Fig. 10a shows a screen display that enables a user to create or edit an 
administrative domain from at least one arbitrary group of users. In Fig. 10a, the user 
identifies the administrative domain name and aUnbules that can be handled for the 
domain. Fig. 10b shows a screen display that enables a user to constaict or edit a 
query rule for specifying the at least one arbitrary group of users for forming an 
administrative domain or sub-domain. Each query rule on a line comprises an 
attribute field for searching, an (operator such as "equal to", ^'Icss than", "greater than". 
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"less than or equal to", "grealer than or equal to", "not equal to", "contains", "docs not 
contain", "excludes'*, or '*does not exclude"; a field for specifying a string or pattern 
for searching the designated attribute; and another operator such as "AND", or "OR" 
for coupling this particular query rule to any other rules. One of ordinary skill in the 
5 art will recognize that other fields and additional attribute operators can be used to 
constmct a query iiile. The screen display in Fig. 10b also presents the user with the 
option of constructing his or her own custom made query rule. Constructing a 
custom-made query rule can be achieved by using Boolean logic, a natural language 
query or an SQL query. 

10 Fig. 10c shows a screen display that may be presented to a user after he 

or she logs inio the delegated administration tool 28 and is interested in assigning 
delegation authority, edit authority or any other type of authority. In Fig. lOc, the user 
has selected a particular user for delegating administration and identifies the 
administrative domain name and the type of authority (e.g., delegation authority 

15 and/or edit authority) that the user wilt have over that domain. In addition, an 
expiration date for the assigned administrative domain and authority can be 
designated. Note that more than one administrative domain can be assigned to a user. 
Siuiilariy, more than one user may be assigned to a domain. The selections for the 
domain name, the type of authority and e.xpinKiou dare appear in Fig. 10c as pull 

20 down menus; however, other options for inputting data may be used if desired. 

The above-described delegated administration tool comprises an 
ordered listing of executable instructions for implementing logical functions, fhe 
ordered listing can be embodied in any computer -readable medium for use by or m 
connection with a computer-based system that can retrieve the instructions and 

25 execute ihcm. In the context of this application, the computer-readable medium can 
be any means that can contain, store, communicate, propagate, transmit or transport 
the instructions. The computer readable medium can be an electronic, a magnetic, an 
optical, an electromagnetic, or an infrared system, apparatus, or device. An 
illusii all vL\ but non-exhaustive list of computer readable mediums can include an 

30 electrical connection (electronic) having one or more wires, a portable computer 
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diskette (magnetic), a random access memory (RAM) (magnetic), a read-only memory 
(ROM) (magnetic), an erasable programmable read-only memory (HPROM or Flash 
memory) (magnetic), an optical fiber (optica!), and a portable compact disc read-only 
memory (CDROM) (optical). 

Note that the computer readable medium may comprise paper or 
another suitable medium upon which the mstructions are printed. For instance, the 
instructions can be electronically captured via optical scanning of the paper or other 
medium, then compiled, interpreted or otherwise processed in a suitable manner if 
necessary, and then stored in a computer meinory. 

Il ts apparent that there has been provided in accordance with this 
invention, a delegated admmistration tool. While the mvention has been particularly 
shown and described in conjunction with a preferred embodiment thereof, it will be 
appreciated that variations and modifications can be effected by a person of ordinary 
skill in the ait without departing from the scope ()f the invention. 



